Some days ago, one of my customers request help to automate this process to add all IP addresses to Azure Key Vault settings that’s used by the Dynamics 365 Finance and operations and ensure that only that addresses can use this Key Vault
I did this using Power Automate as a POC and the settings on the Key Vault was updated successfully. However, there are some considerations that should keep in mind.
The outbound IP address from the AOS is an IP address from the listed ranges based on the Azure region of your deployment. The specific outbound IP address may vary across outbound requests, even from within the same session. You can find the outbound IP addresses by using the Service Tag Discovery API or using the downloadable JSON files. Infrastructure hosting your Microsoft-managed environments is registered as part of the PowerPlatformPlex Service Tag.
When a Service Tag API is consumed, you obtain a Json file with all Service Tags for the specific region that you request.
GET https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Network/locations/{location}/serviceTags?api-version=2024-03-01Json file contains all IPs for the different services on that region, but we will focus only on PowerPlatformPlex.{region} node and only in the IPV4 addresses, because the Key Vault only supports IPV4.
Before to start with the Power Automate, its necessarily create a Microsoft Entra App registration to admin the Key Vault settings and obtain the Service Tags from the API.
To manage Key Vault and the Service Tags API, you’ll need to set up a Microsoft Entra app registration (formerly known as Azure AD app registration) with the correct permissions. Here are the steps: Quickstart: Register an app in the Microsoft identity platform – Microsoft identity platform | Microsoft Learn
1. Configure API Permissions
After registering, you need to grant the necessary permissions for Key Vault management and access to the Service Tags API.
- Go to API permissions > Add a permission.
- Select Azure Key Vault:
- Choose Application permissions.
- Under Key Vault, add Key Vault Managed HSM Read and Key Vault Managed HSM Write permissions (or other specific permissions based on your requirements).
- Click Add permissions.
- After adding permissions, Grant admin consent for the permissions if required by your organization.
2. Assign the App Access to Key Vault
To allow this application to access your Key Vault:
- Go to the Azure portal and navigate to your Key Vault instance.
- Under Access policies, click Add Access Policy.
- Choose the appropriate Key Permissions, Secret Permissions, or Certificate Permissions based on your needs.
- Under Principal, search for and select your registered app.
- Click Add to finalize the policy, and then Save.
3. Assign Required Roles for Service Tags API
- In the Azure portal, go to Subscriptions (or Resource groups if you want to limit the scope).
- Select the subscription/resource group where you want this app registration to have access.
- Go to Access control (IAM) > Add role assignment.
- Select the Reader or Network Contributor role:
- Reader will give read-only access.
- Network Contributor will allow the app to manage networking resources, which includes reading service tags.
- Under Members, select User, group, or service principal and find your registered app.
- Click Save to assign the role.
Creating the Power Automate
- We are going to add a manual Trigger in which we will send as a text parameter the name of the region, for example “EastUS”
2. We add a string type variable for the Service Tag API and for the Key Vault API
3. One array variable to store all IP address that receive from service tag and one compose variable to store the json setting for the login on APIs
4. We added an http control to make the first request to the service tag API and a Parse Json control to parse the body that we receive as a result of the API
This is the Json schema for the body output:
{
"type": "object",
"properties": {
"name": {
"type": "string"
},
"id": {
"type": "string"
},
"type": {
"type": "string"
},
"changeNumber": {
"type": "string"
},
"cloud": {
"type": "string"
},
"values": {
"type": "array",
"items": {
"type": "object",
"properties": {
"name": {
"type": "string"
},
"id": {
"type": "string"
},
"serviceTagChangeNumber": {
"type": "string"
},
"properties": {
"type": "object",
"properties": {
"changeNumber": {
"type": "string"
},
"region": {
"type": "string"
},
"state": {
"type": "string"
},
"networkFeatures": {
"type": "array",
"items": {
"type": "string"
}
},
"systemService": {
"type": "string"
},
"AddressPrefixes": {
"type": "array",
"items": {
"type": "string"
}
}
}
}
},
"required": [
"name",
"id",
"serviceTagChangeNumber",
"properties"
]
}
},
"nextLink": {
"type": "string"
}
}
}5. Since we are going to make changes to the configuration using the Key Vault API, it receives as a parameter the Json with the Key Vault configuration, so if we have made additional configurations directly from the Azure portal or by AZ command, it is necessary that we have all these configurations to be able to change only the IP address node without affecting the rest of the configurations. In this step we will obtain the Json with the current Key Vault configuration.
Example of current configuration:
{
"id": "/subscriptions/subid/resourceGroups/demokeyvaultrg/providers/Microsoft.KeyVault/vaults/pocheb",
"name": "demokeyvault",
"type": "Microsoft.KeyVault/vaults",
"location": "eastus",
"tags": {},
"systemData": {
"createdBy": "admin@mydomain.com",
"createdByType": "User",
"createdAt": "2024-08-30T18:50:27.478Z",
"lastModifiedBy": "admin@mydomain.com",
"lastModifiedByType": "User",
"lastModifiedAt": "2024-11-02T19:07:42.006Z"
},
"properties": {
"sku": {
"family": "A",
"name": "standard"
},
"tenantId": "00000000-0000-0000-0000-000000000000",
"networkAcls": {
"bypass": "AzureServices",
"defaultAction": "Deny",
"ipRules": [
{
"value": "200.15.34.123/32"
}
],
"virtualNetworkRules": []
},
"accessPolicies": [
{
"tenantId": "00000000-0000-0000-0000-000000000000",
"objectId": "6c0ad51c-0000-4b2b-0000-000000000000",
"permissions": {
"keys": [
"Get"
],
"secrets": [
"Get"
],
"certificates": [
"Get"
]
}
}
],
"enabledForDeployment": false,
"enabledForDiskEncryption": false,
"enabledForTemplateDeployment": false,
"enableSoftDelete": true,
"softDeleteRetentionInDays": 90,
"enableRbacAuthorization": false,
"vaultUri": "https://demokeyvault.vault.azure.net/",
"provisioningState": "Succeeded",
"publicNetworkAccess": "Enabled"
}
}6. We filter the Json of the service tag, to be able to extract the PowerPlatformPlex addresses of the region with which we execute the flow
Filter result be stored in array variable
7. Now it is necessary to filter the node addresses variable to get only the IPV4 addresses and remove the IPV6 ones that are not supported by Key Vault
8. Using a select control, we create a map of values with the IP rules and the Allow or Deny action, that returns the array with values to update the “ipRules” node of the configuration Json file.
9. Now we change the property of the “ipRules” node with the following function
setProperty(
body('CurrentConfig'),
'properties',
setProperty(
body('CurrentConfig')?['properties'],
'networkAcls',
setProperty(
body('CurrentConfig')?['properties']?['networkAcls'],
'ipRules',
variables('ipRules')
)
)
)
10. As a final step, we invoke the Key Vault API and send as a parameter the output of our compose where we have all the configuration JSON with the IP address changes.
The Key Vault API only accepts the PUT method to perform this action.
This is how our configuration Json that we send to the Key Vault API would look like:
{
"sku": {
"family": "A",
"name": "standard"
},
"tenantId": "00000000-0000-0000-0000-000000000000",
"accessPolicies": [
{
"tenantId": "00000000-0000-0000-0000-000000000000",
"objectId": "6c0ad51c-0000-4b2b-0000-000000000000",
"permissions": {
"keys": [
"get"
],
"secrets": [
"get"
],
"certificates": [
"get"
]
}
}
],
"enabledForDeployment": false,
"enabledForDiskEncryption": false,
"enabledForTemplateDeployment": false,
"enableSoftDelete": true,
"softDeleteRetentionInDays": 90,
"enableRbacAuthorization": false,
"vaultUri": "https://demokeyvault.vault.azure.net/",
"provisioningState": "Succeeded",
"publicNetworkAccess": "Enabled",
"networkAcls": {
"bypass": "AzureServices",
"defaultAction": "Deny",
"virtualNetworkRules": [],
"ipRules": [
{
"value": "20.88.159.140/30",
"action": "Allow"
},
{
"value": "20.88.159.152/29",
"action": "Allow"
},
{
"value": "20.88.159.208/28",
"action": "Allow"
},
{
"value": "20.88.159.224/27",
"action": "Allow"
},
{
"value": "20.119.28.0/27",
"action": "Allow"
},
{
"value": "20.119.28.32/30",
"action": "Allow"
},
{
"value": "20.232.88.200/29",
"action": "Allow"
},
{
"value": "20.232.89.16/28",
"action": "Allow"
},
{
"value": "20.232.89.32/27",
"action": "Allow"
},
{
"value": "20.232.89.64/27",
"action": "Allow"
},
{
"value": "20.232.89.96/29",
"action": "Allow"
},
{
"value": "52.255.218.64/26",
"action": "Allow"
},
{
"value": "57.152.116.184/29",
"action": "Allow"
},
{
"value": "172.191.253.64/26",
"action": "Allow"
},
{
"value": "172.191.253.128/25",
"action": "Allow"
}
]
}
}Conclusion
By using the Service Tag and Key Vault APIs correctly, we can automate the inclusion of outbound IPs from different cloud services, not just Dynamics 365 Finance. This is just a proof of concept that you can adjust to your needs and with other cloud components. In the next section you will find the reference links to the Service Tag and Key Vault APIs to explore in more detail the options they provide.
- Service Tags – List – REST API (Azure Virtual Networks) | Microsoft Learn
- Vaults – Get – REST API (Azure Key Vault) | Microsoft Learn
You can also download this Power Automate example which you can edit to your needs with your own Azure subscription, tenant app registration values, secret and key vaults.